1

I know I can put something in cloudfront/S3 that then calls lambda functions to do things, and I know how to do that, but I'm trying to directly expose lambda functions as a web site - ie have a set of functions that produce html, and hit them with a browser.

What I am particularly getting confused by is the security model. It's very important that this "site" will have some sort of "login" - ie not just anyone can call it - but also that this is not tied to my or anyone else's aws credentials, or reliant on any shared secrets.

Is this possible, just using lambda + api gateway? or lambda + cloudfront?

Darren Oakey
  • 2,894
  • 3
  • 29
  • 55

3 Answers3

4

I'm not sure the other answers actually answer your question. They seem to be suggesting for you to build a single page app with Angular/React/Whatever but I think you are asking if you can serve HTML directly from API Gateway / Lambda. The answer to that is yes. To log in a user it would look like this:

  1. User visits page - API Gateway calls Login Lambda to render login html
  2. User fills out form, submits form method="POST" - API Gateway maps form data to JSON and passes it to Authorizer Lambda, if auth'd it lets API Gateway call the Protected Content Lambda to get the html for that page
  3. API Gateway sets a cookie saying that the user is auth'd
  4. on subsequent page views, API Gateway passes the cookie to the Authorizer Lambda which again determines if the user can proceed

See this post here on how to serve html: Return Html from API Gateway

Authorizer Lambda to handle authentication(with this, you can use any type of authentication scheme you want): Custom Authorizers

Since you just want to use html your login form will need to transform POST application/www-form-urlencodeddata to JSON via API Gateway mapping template instead of using an ajax call: https://gist.github.com/ryanray/668022ad2432e38493df

If you aren't using ajax requests to load data you will most likely need to use cookies for authentication. See this post on how to access/set cookie data in API Gateway: Using AWS Gateway API, can I access the cookies?

Ryan
  • 5,845
  • 32
  • 27
1

Actually this depends on the use case.

You can build a full dynamic web application using following AWS Services:

  • S3 for static contents. Ex: React/Angular app and other static apps
  • CloudFront as a CDN and as a Proxy.
  • API Gateway to build an API for your backend.
  • Lambda as the computing functions for your API resource endpoints.

When it comes to the security, You can use AWS Cognito and Userpools. You can configure your API Gateway with cognito userpools to authenticate and authorize users. If you prefer, API Gateway provides functionality for you to write your own custom authorizers as well.

Developing an application using above services is qualified as a serverless application.

You can read more about serverless using following links.

Building Serverless web applications

AWS doc on building a serverless web app

Rumesh Eranga Hapuarachchi
  • 2,458
  • 2
  • 25
  • 40
  • thanks - I didn't put this as the accepted answer because I specifically said I don't want to use S3, but I do appreciate it and didn't know about cognito which hopefully will do what I want! – Darren Oakey Jul 16 '17 at 21:09
1

You can build a web application with login support even without Lambda for simple applications using below services.

  • AWS S3 (Store Static Assets like HTML,JS,CSS)
  • AWS DynamoDB (Data Storage)
  • AWS Cognito (For Login)

You can even provide fine-grain access control for dynamodb only allowing users to access particular rows. One of the main limitation is to build a security model for multi-tenant applications where multiple users belongs to a group and require group level authorization. Another limitation is adding DNS record directly to S3 bucket where it will be limited to a domain with S3 bucket name. Also CORs, will reduce application peformance, due to preflight requests. To solve above limitations and many more, you can additionally use the following services.

  • AWS CloudFront (To remove DNS limitation, CORs and Peformance improvement by caching, Web Application Firewall Integration for Additional Security & etc.)
  • AWS Lambda (Provide multi-tenant custom authorizations & etc.)
  • AWS API Gateway (Throttling, Integrations & etc.)

Adding above services also provides the flexibility in using different data storage mechanism and utilizing other AWS services.

So in summary you can use the following set of services as the foundation for web applications in AWS.

  • AWS S3
  • AWS API Gateway
  • AWS Lambda
  • AWS Cloudfront
  • AWS Cognito
Ashan
  • 18,898
  • 4
  • 47
  • 67